What You Need to Know About Vulnerability Management Best Practices

Team Tenable

How can CISOs and their cybersecurity teams incorporate Tenable’s Predictive Prioritization capability and the Vulnerability Priority Rating into their vulnerability management strategy? The Tenable team offers some best practices.

Throughout the course of 2019, the Tenable team has been talking about the benefits of Predictive Prioritization — the process of re-prioritizing vulnerabilities based on the probability they will be leveraged in an attack. 

This new capability, introduced in February 2019, combines Tenable-collected vulnerability data with third-party vulnerability and threat intelligence and analyzes them together using an advanced data science algorithm developed by Tenable Research. The data analysis is used to develop a Vulnerability Priority Rating (VPR) for each vulnerability. 

Predictive Prioritization is now available in Tenable.sc and Tenable.io to help security teams focus on what matters most. But what are the best practices for implementing Predictive Prioritization and VPR?

During a recent webinar entitled “Putting Predictive Prioritization To Work,” Kevin Flynn, a senior product marketing manager at Tenable, joined senior security consultants Brian Baumgarten and John Vasquez to discuss Predictive Prioritization and VPR. They explored how CISOs, their security teams and even third-party vendors and service providers can incorporate these capabilities into their vulnerability management plans.

Setting Vulnerability Management KPIs

As with any good security project, one of the best ways to start is by establishing reasonable Key Performance Indicators (KPIs) to guide the security team and create realistic goals. Tenable recommends these five KPIs to get you started:

  • Scan frequency: How often does your enterprise conduct assessments?
  • Scan intensity: How many different scans are launched on a given scan day?
  • Asset authentication: How does your enterprise measure assessment depth? 
  • Asset coverage: What proportion of the licensed assets are scanned in a 90-day period?
  • Vulnerability coverage: What proportion of total vulnerability plugins are used in a 90-day period?
  • Once these KPIs are established, here are three ways security teams can start applying Predictive Prioritization and VPR to their vulnerability management process.

  • In the discovery phase, VPR can assist in classifying assets within the network by improving accuracy and helping to discover new IP addresses that have been added.
  • When scanning, VPR can be automatically applied. As the security team scans the network more frequently, the threat intelligence improves because there’s more data to analyze in real-time. 
  • During the patching process, VPR helps security teams provide much-needed context to the IT professionals responsible for patching, improving their ability to prioritize and allocate resources based on real-world risk.
  • Frequent scanning is crucial. “The more you scan frequently, the more you are going to know of the current potential,” Vasquez said. For example, Vasquez said, when the WannaCry ransomware attacks started in 2017, the malware was released several months before the incidents began in earnest. Better scanning might have helped security professionals identify the potential to do harm and could have prompted more urgent patching.   

    Additionally, VPR scores can also be used to help structure service-level agreements (SLAs) with third-party service providers. For firms that outsource patching and remediation, VPR gives the service provider and client a way to prioritize and evaluate remediation efforts, improving outcomes and overall security posture. 

    Vulnerability Priority Rating: Practical Results 

    Flynn, Baumgarten and Vasquez shared two examples of how organizations can put VPR to use. 

    First, VPR can assist in prioritizing fixes and patches to systems that are internet-facing, where unpatched applications can be exploited using common rootkits. Using VPR in combination with Tenable’s Nessus Network Monitor, security teams can create a dynamic asset list using filters as well as certain key terms, such as “Adobe” or other software frequently targeted in attacks. 

    Second, if an attacker is able to penetrate the network through an internet-facing system in an attempt to escalate privileges and move laterally through the network, the VPR score can be used to identify which vulnerabilities might be exploited first. This enables teams to be more strategic about deploying patches to stop the attack.

    Learn More:

    Read more >

    Published on Jun 19, 2019

    People also viewed

    Product Security Architect - Security Development Lifecycle

    Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Information Security IT
    Your Role:As part of the Information Security team, the Principal Product Security Architect will help drive and coordinate security for Tenable’s applications and services portfolio. This includes designing and working on Security Development Lif...

    Software Engineer

    Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Engineering Engineering
    Your Role:Are you excited about the opportunity to work with microservices at scale? Do you like knowing that the changes that you deploy to production will improve the customer experience of many users worldwide? Do you like both the exciting, fa...

    Software Engineering Manager, UI

    San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
    Your Role:Tenable is looking for an extraordinary Engineering Manager to join the Tenable.io Engineering team. This is an opportunity to make a high impact while helping the team deliver on a next-generation enterprise web application. The ideal c...

    Software Engineer - Web Scraping (Python)

    Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 21046 Research Engineering
    Your Role:Tenable is looking for a Software Engineer to join our Automation research team.  This position will involve building and maintaining our framework for automated content creation, validation, and deliveryYour Opportunity: Impact: You wi...

    Customer Success Manager

    Toyko Tokyo Japan Toyko, Tokyo, Japan Customer Success Sales
    Your Role:Tenable has an immediate need for a Customer Success Manager who will be responsible for establishing and driving sales activities for our software products within a designated geography.Companies today are grappling with an ever expandi...

    Senior UX Designer

    San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Engineering Engineering
    Your Role:Tenable is looking for an extraordinary Senior UX Designer to join our team. Our group is chartered with creating the next generation of security products while at the same time pioneering unprecedented user experience in the digital sec...

    We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.